HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. escalibur

    escalibur Registered Member

    Joined:
    Jun 29, 2013
    Posts:
    118
    Today I got this while trying to launch Skype (v7.26.0.101) Skype is only in blue tile (automatic setting).



    Branch Trace Opcode To
    -------------------------------- -------- --------------------------------
    RtlInitUnicodeStringEx +0x46 RET LoadLibraryExW +0x4c
    0x771633C6 ntdll.dll 0x76C592DC KernelBase.dll

    CoGetCurrentLogicalThreadId +0x252 RET CoGetCurrentLogicalThreadId +0x142
    0x74E0CCD2 combase.dll 0x74E0CBC2 combase.dll

    0x74E6258D combase.dll RET 0x74E0EC23 combase.dll

    RtlEnterCriticalSection +0x2b RET* 0x010DFC8E Skype.exe
    0x7716F7AB ntdll.dll
    004265 ADD [EDX+0x65], AL
    7269 JB 0x10dfcfc
    636874 ARPL [EAX+0x74], BP
    7479 JZ 0x10dfd11
    7065 JO 0x10dfcff
    007365 ADD [EBX+0x65], DH
    6c INS BYTE [ES:EDI], DX
    6563746565 ARPL [GS:EBP+0x65], SI
    7220 JB 0x10dfcc5
    65656e OUTS DX, BYTE [GS:ESI]
    206c616e AND [ECX+0x6e], CH
    64206f66 AND [FS:EDI+0x66], CH
    207265 AND [EDX+0x65], DH
    67696f006e756d6d IMUL EBP, [BX+0x0], 0x6d6d756e
    657274 JB 0x10dfd32
    7970 JNS 0x10dfd30
    (47F6E2CBEFCFA343)


    0x771B17CD ntdll.dll RET* 0x010DCCFE Skype.exe
    3f AAS
    003c62 ADD [EDX], BH
    3e50 PUSH EAX
    726f JB 0x10dcd75
    626c656d BOUND EBP, [EBP+0x6d]
    656e OUTS DX, BYTE [GS:ESI]
    206d65 AND [EBP+0x65], CH
    7420 JZ 0x10dcd31
    7577 JNZ 0x10dcd8a
    206765 AND [EDI+0x65], AH
    6c INS BYTE [ES:EDI], DX
    7569 JNZ 0x10dcd82
    643f AAS
    3c2f CMP AL, 0x2f
    623e BOUND EDI, [ESI]
    00436f ADD [EBX+0x6f], AL
    (49D3EFD96B89101:cool:


    WaitForMultipleObjects +0x19 ~ RET* 0x010DCD3F Skype.exe
    0x76C61929 KernelBase.dll
    696a6e2061616e IMUL EBP, [EDX+0x6e], 0x6e616120
    6765736c JAE 0x10dcdb6
    6f OUTS DX, DWORD [ESI]
    7465 JZ 0x10dcdb2
    6e OUTS DX, BYTE [ESI]
    2e00436f ADD [CS:EBX+0x6f], AL
    6e OUTS DX, BYTE [ESI]
    7472 JZ 0x10dcdc7
    6f OUTS DX, DWORD [ESI]
    6c INS BYTE [ES:EDI], DX
    65657220 JB 0x10dcd7b
    6f OUTS DX, DWORD [ESI]
    66207577 AND [EBP+0x77], DH
    206c7569 AND [EBP+ESI*2+0x69], CH
    647370 JAE 0x10dcdd7
    7265 JB 0x10dcdce
    (476383C98C3CF8A:cool:


    WaitForMultipleObjectsEx +0x131 ~ RET WaitForMultipleObjects +0x18
    0x76C61A71 KernelBase.dll 0x76C61928 KernelBase.dll

    PerfIncrementULongLongCounterValue +0xcd RET WaitForMultipleObjectsEx +0x12e
    0x76C8570D KernelBase.dll 0x76C61A6E KernelBase.dll

    WaitForMultipleObjectsEx +0x1a0 RET WaitForMultipleObjectsEx +0x10c
    0x76C61AE0 KernelBase.dll 0x76C61A4C KernelBase.dll

    NtWaitForMultipleObjects +0xc ~ RET WaitForMultipleObjectsEx +0xf0
    0x7719E1BC ntdll.dll 0x76C61A30 KernelBase.dll

    0x56A6222C wow64cpu.dll ~ RET TurboDispatchJumpAddressEnd +0x9e
    0x56A61D8A wow64cpu.dll

    Stack Trace
    # Address Module Location
    -- -------- ------------------------ ----------------------------------------
    1 76C593C8 KernelBase.dll LoadLibraryExW +0x138

    2 74E0CC52 combase.dll CoGetCurrentLogicalThreadId +0x1d2
    8bd8 MOV EBX, EAX
    85db TEST EBX, EBX
    0f84f9420b00 JZ 0x74ec0f55
    56 PUSH ESI
    57 PUSH EDI
    53 PUSH EBX
    33d2 XOR EDX, EDX
    33c9 XOR ECX, ECX
    e815000000 CALL 0x74e0cc7d
    8b4d0c MOV ECX, [EBP+0xc]
    8bc6 MOV EAX, ESI
    5f POP EDI
    5e POP ESI
    8919 MOV [ECX], EBX
    5b POP EBX
    8be5 MOV ESP, EBP

    3 74E0CBCA combase.dll CoGetCurrentLogicalThreadId +0x14a
    4 74E0CD50 combase.dll CoGetCurrentLogicalThreadId +0x2d0
    5 74E0EC37 combase.dll
    6 74E6056E combase.dll
    7 74E0E1F2 combase.dll
    8 74E53B3A combase.dll
    9 74E24474 combase.dll
    10 74E27AE3 combase.dll

    Process Trace
    1 C:\Program Files (x86)\Skype\Phone\Skype.exe [7148]
    2 C:\Windows\explorer.exe [3696]
    3 C:\Windows\System32\userinit.exe [3608]
     
  2. eddiewood

    eddiewood Registered Member

    Joined:
    Apr 23, 2006
    Posts:
    136
    So is HMP.A still **** for doing what it was designed to do then?
     
  3. Influenza

    Influenza Registered Member

    Joined:
    May 7, 2016
    Posts:
    60
    Hello Dragon,
    If you have a key you can uopgrade to 2.21.204.465 , if not you can get a free lifetime licence.
     
  4. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,843
    Location:
    the Netherlands
    One can disable HMP.A's MBR protection for the time needed for actions such as described by mohankrajan, and re-enable afterwards. There's no need to leave it disabled all the time, of course.
     
  5. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    My key is not accepted in 2.21 so i am running the free trial now. I might uninstall and go back to version 1.9.3
     
  6. CaptainLeonidasHMPA

    CaptainLeonidasHMPA Registered Member

    Joined:
    Aug 14, 2016
    Posts:
    42
    Location:
    The Netherlands
    To me security is about creating layers which malware need to chew on to break through. Even if Secure boot is not the silver bullet I still like to have it ready in my "gun" so I can fire it against incoming malware. HMPA is another bullet to kill off the malware. So yes I too like HMPA to work asap. I paid for it and sure I can understand certain delays in it's workability.

    It does help when I get informed of progress made in resolving the driver issue at hand.
     
  7. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,843
    Location:
    the Netherlands
    For clarity - the mentioned MBR protection feature is not connected to the Windows 10 Anniversary Update HMP.A driver issue.
    Regarding HMP.A's MBR protection, that can be temporarily disabled if there is a need for that.
    Regarding the unrelated Windows 10 Anniversary Update issue, the HMP.A team was unpleasantly surprised by Microsoft's new policy, and is working to get the issue resolved for HMP and HMP.A, as Erik mentioned. In the mean time, disabling Windows 10 SecureBoot can be a workaround for that issue.
     
  8. CaptainLeonidasHMPA

    CaptainLeonidasHMPA Registered Member

    Joined:
    Aug 14, 2016
    Posts:
    42
    Location:
    The Netherlands
    @Stupendous Man : I read you loud and clear. However you are not Erik of Surfright/Sofos. It is an update of him or his college i seek concerning the current situation of a now "broken" layer I like have available/running alongside other protective tools I bought.

    That is all.
     
  9. ParallelTwin

    ParallelTwin Registered Member

    Joined:
    Nov 20, 2015
    Posts:
    7
    Location:
    Sydney
    linqpad fails to load. in fact any 32 bit .net app seems to fail to load properly for me, i had to uninstall. (I think - a bunch of related visual studio processes went wonky too)

    Also, about 3/10 times i do a windows+s to search for something, the encryption is displaying instead of the actual key's I press...
     
  10. mirage22

    mirage22 Registered Member

    Joined:
    Apr 20, 2016
    Posts:
    51
    Word 2016

    Mitigation DEP

    Platform 10.0.14393/x64 06_3a
    PID 20028
    Application C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    Description Microsoft Word 16

    EIP = 02E8E818, State = 0x1000, Type = 0x20000, Protect = 0x4

    Stack Trace
    # Address Module Location
    -- -------- ------------------------ ----------------------------------------
    1 779C23B2 ntdll.dll RtlConvertUlongToLargeInteger +0xa2
    2 779C2384 ntdll.dll RtlConvertUlongToLargeInteger +0x74
    3 779AFF1F ntdll.dll KiUserExceptionDispatcher +0xf

    4 56D3F403 WWLIB.DLL
    807dbb00 CMP BYTE [EBP-0x45], 0x0
    0f85a4aacdff JNZ 0x56a19eb1
    8b03 MOV EAX, [EBX]
    80b80501000000 CMP BYTE [EAX+0x105], 0x0
    0f8495aacdff JZ 0x56a19eb1
    c6800501000000 MOV BYTE [EAX+0x105], 0x0
    33c0 XOR EAX, EAX
    40 INC EAX
    8845cb MOV [EBP-0x35], AL
    e983aacdff JMP 0x56a19eb1

    5 56A4836B WWLIB.DLL
    6 56A6355B WWLIB.DLL
    7 5699B06E WWLIB.DLL
    8 5699AF74 WWLIB.DLL
    9 56A6A06E WWLIB.DLL
    10 56994FCA WWLIB.DLL

    Code Injection
    00B45000-00B46000 4KB n/a [26256]
    00B40000-00B41000 4KB

    Process Trace
    1 C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [20028]
    "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\NAME\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\I9QCMY0U\ChangeLog (002).docx" /o ""
    2 C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [9036]
    3 C:\Windows\explorer.exe [15112]
    4 C:\Windows\System32\userinit.exe [5076]
    5 C:\Windows\System32\winlogon.exe [15516]
    C:\WINDOWS\System32\WinLogon.exe -SpecialSession
    6 C:\Windows\System32\smss.exe [8472]
    \SystemRoot\System32\smss.exe 00000160 0000007c C:\WINDOWS\System32\WinLogon.exe -SpecialSession
     
  11. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    1,383
    The MBR protection might work a bit too good: I got an interception when trying to mark a partition as active using Windows 10 (1607) Disk Management.

    I thought Windows default Apps would be whitelisted, but apparently not.
     
  12. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
    I don't think so.
    Diskpart (the command line tool behind Disk Management) could be abused to wipe a drive, or partition.
     
  13. plat1098

    plat1098 Guest

    I hope the developers haven't forgotten about us. You can get by without SecureBoot, but it would be great to have everything in a row again. A little status update would be appreciated.......:cool:
     
  14. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,242
    Norton Security-Cryptoguard.mitigation. Has someting to do with Liveupdate.

    Logboeknaam: Application
    Bron: HitmanPro.Alert
    Datum: 19-8-2016 07:59:06
    Gebeurtenis-id:911
    Taakcategorie: Mitigation
    Niveau: Fout
    Trefwoorden: Klassiek
    Gebruiker: n.v.t.
    Computer: ****
    Beschrijving:
    Mitigation CryptoGuard

    Platform 10.0.14393/x64 06_5e
    PID 2860
    Application C:\Program Files (x86)\Norton Security with Backup\Engine\22.7.0.76\nsbu.exe
    Description Norton Security with Backup 22.7

    Filename C:\Program Files (x86)\Norton Security with Backup\Engine\22.7.0.76\nsbu.exe

    C:\Program Files (x86)\Norton Security with Backup\Branding\22.7.1.32\13\01\readme.htm.ptx
    C:\Program Files (x86)\Norton Security with Backup\Engine\22.7.1.32\x86\x86\gearaspiwdm.sys.ptx
    C:\Program Files (x86)\Norton Security with Backup\Engine\22.7.1.32\x64\x64\gearaspiwdm.sys.pt

    Win10 1607 build 14393.51 x64/Norton Security v22.7.0.76/HmpA build 546.
     
  15. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    That false-positive was fixed with a newer beta.

    Just disable CryptoGuard until you've updated Norton.
     
  16. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,242
    Upgraded/updated to build 550 beta: no problems. INorton Security updated/upgraded to v22.7.1.32.
     
  17. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    575
    The same or a similar thing is happening to me as to deugniet: HMP.A is preventing NIS from running Live Update.

    I disabled CryptoGuard, ran Live Update again -- and HMP.A intercepted NIS again on CryptoGuard even though I had just finished disabling CryptoGuard protection in HMP.A.

    Very annoying. Bottom line is, I can't update Norton now. :thumbd:

    Windows 7 HP x64, SP1; NIS 22.7.0.76; HMP.A 3.5.0 build 546.

    Can I install build 550 on top of 546?
     
  18. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,242
    Yes. Then run Liveupdate.
     
  19. escalibur

    escalibur Registered Member

    Joined:
    Jun 29, 2013
    Posts:
    118
    Does anyone know are there any discounts or promotions going on? I would like to promote this app to my relatives. :)
     
  20. john7

    john7 Registered Member

    Joined:
    Aug 19, 2016
    Posts:
    14
    Location:
    UK
    Hitman pro alert is blocking the current Norton update. I had to totally disable the program then uninstall and reinstall Norton it was so messed up by the failed patching.
     
  21. john7

    john7 Registered Member

    Joined:
    Aug 19, 2016
    Posts:
    14
    Location:
    UK
    Norton patch blocking log
    - System
    -
    Provider
    [ Name] HitmanPro.Alert
    - EventID 911
    [ Qualifiers] 0
    Level 2
    Task 9
    Keywords 0x80000000000000
    - TimeCreated
    [ SystemTime] 2016-08-19T07:44:53.335430000Z
    EventRecordID 3059
    Channel Application
    Computer Johns-laptop
    Security
    -
    EventData
    C:\Program Files (x86)\Norton Security with Backup\Engine\22.7.0.76\nsbu.exe
    CryptoGuard
    Mitigation CryptoGuard Platform 10.0.14393/x64 06_3c PID 2216 Application C:\Program Files (x86)\Norton Security with Backup\Engine\22.7.0.76\nsbu.exe Description Norton Security with Backup 22.7 Filename C:\Program Files (x86)\Norton Security with Backup\Engine\22.7.0.76\nsbu.exe C:\Program Files (x86)\Norton Security with Backup\MUI\22.7.1.32\09\01\avpapp32.loc.ptx C:\Program Files (x86)\Norton Security with Backup\MUI\22.7.1.32\09\01\av.loc.ptx C:\Program Files (x86)\Norton Security with Backup\MUI\22.7.1.32\09\01\asres.loc.ptx
     
  22. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,843
    Location:
    the Netherlands
    The same issue was reported by user deugniet.
    Also was a solution mentioned: update HitmanPro.Alert to beta version 3.5.1.550.
     
    Last edited: Aug 19, 2016
  23. ohgood

    ohgood Registered Member

    Joined:
    Apr 3, 2015
    Posts:
    39
    Location:
    cold upper midwest
    ^ +1 :D
     
  24. john7

    john7 Registered Member

    Joined:
    Aug 19, 2016
    Posts:
    14
    Location:
    UK
    How do you get the beta, I can't find it?
     
  25. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,843
    Location:
    the Netherlands
    The HitmanPro.Alert 3.5.1 Build 550 beta download link and changelog are in Mark Loman's (developer) August 8 post.
    The changelog is for beta build 550 compared to beta build 548.
    If you'd like to know what was in beta build 548, compared to build 546, have a look at the previous build 548 post.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.